Minimalism in Cryptography:
The Even-Mansour Scheme
Revisited
Orr Dunkelman, Nathan Keller,
and Adi Shamir
Haifa University, Bar-Ilan University, and
The Weizmann Institute
April 17-th 2012
Minimal Constructions
A
construction is minimal if it cannot
be simplified by eliminating any one of
its components
Minimalism is a Very Popular Topic
in Cryptography:
There are many papers on:
 Minimal
cryptographic assumptions
 Minimal key sizes
 Minimal # rounds in Feistel structures
 Minimal # of honest parties in Protocols
 …..
Minimal Provably Secure Stream Ciphers:
 The
one time pad:
Ciphertext = Plaintext
+ Key
Minimal Provably Secure Block Ciphers:
 At
Asiacrypt 91, Even and Mansour tried to
construct the simplest possible block cipher
which has a formal proof of security:
P
E
K
C
Minimal Block Ciphers:
 In
a minimal construction, there should be no
key-independent invertible operations F and G
which are applied to the plaintext or ciphertext
P
F
E
K
G
C
Minimal Block Ciphers
 The
simplest way to process the plaintext
and ciphertext in a key dependent way is
to XOR to them a prewhitening key K1 and
a postwhitening key K2:
P
+
E
+
K1
K3
K2
C
The Even-Mansour Scheme:
 Replace
the middle part by a single, publicly
known, randomly selected, keyless permutation F:
|state|=n bits
P
+
K1
|key|=2n bits
F
+
K2
C
The Minimality of the Even-Mansour
Scheme:
 Eliminating
either K1 or K2 makes the
scheme easily breakable since F is known
P
F
+
K2
C
The Minimality of the Even-Mansour
Scheme:
 Eliminating
P
F makes the scheme linear
+
+
K1
K2
C
To Study the Exact Security of EM, We
Have to Formalize an Attack Model:
 Consider
the following 4-tuple of
values in each encryption E(x)=w
X
+
K1
Y
F
Z
+
K2
W
To Study the Security of EM, We
Have to Formalize an Attack Model:
 The
attacker is allowed to ask for D pairs of
known or chosen (X,W) values (D stands for data)
 The attacker is allowed to evaluate (by himself)
T pairs of (Y,Z) values (T stands for time)
X
+
K1
Y
F
Z
+
K2
W
Important Remarks:
 We
are old fashioned cryptanalysts here: A
successful attack means complete key recovery
 We
distinguish between cheap queries to F and
expensive queries to E
Is the Even-Mansour Scheme Secure?
 In
their original paper, Even and Mansour formally
proved that any attack must satisfy DT > Ω(2n)
 The
lower bound proof is information theoretic,
and is applicable both to known plaintext attacks
and to chosen plaintext attacks
The EM Proof of Security (Simplified)
 Initially
there are 22n possible keys (K1,K2)
 Given
D pairs of (X,W) values of E and T pairs of
(Y,Z) values of F, we can combine them in DT
possible ways into a 4-tuple of values (X,Y,Z,W)
W
X
Z
Y
F
+
+
K1
K2
The EM Proof of Security (Simplified)
 Each
4-tuple suggests a unique value for the two
keys via K1=X+Y and K2=Z+W
 We
cannot say that these values are correct.
However, we can say that for each K1 all the
other values of K2 are certainly incorrect
 Similarly,
for each K2 all the other values of K1
are certainly incorrect
The EM Proof of Security (Simplified)
The 22n key combinations:
K2
K1
The EM Proof of Security (Simplified)
Each 4-tuple defines a unique suggestion for the keys:
K2
K1
The EM Proof of Security (Simplified)
We can thus erase the following keys as impossible:
K2
K1
The EM Proof of Security (Simplified)
 Each
one of the DT possible 4-tuples can
eliminate at most 2(2n-1) key pairs (K1,K2)
 To
eliminate all the 22n-1 wrong key pairs, the
number of 4-tuples DT must be at least (1/2)2n
An Interesting Comment:
 The
proof is actually quite subtle, and
formalizing it requires great care.
 To
demonstrate the subtlety, consider the
special case in which the random permutation F
is a random involution (i.e. for all X, F(F(X))=X)
 The
only way this affects the simplified proof
given above is that whenever we query F and
learn that F(X)=Y, we get another value of F
(namely, that F(Y)=X) for free, so this can at
most halve the number of required queries to F
In This Involutional Variant of EM:
 We
can actually find K1 XOR K2 (and
thus eliminate the vast majority of
the wrong keys) by:
– asking only D=2n/2 queries of E
– asking T=0 queries of F
 which
seems to contradict the lower
bound proof that DT > 2n
Going Back to Random Permutations,
Can We Find Matching Upper Bounds?
 It
is easy to find attacks with:
– D=2, T=2n
– T=2, D=2n
 Can
we connect these extreme cases with
a known plaintext attack that matches the
lower bound curve DT = O(2n) for any
combination of D and T?
Previously Published Attacks:
 At
Asiacrypt 1991, Joan Daemen
described a simple differential attack
with any T and D satisfying DT = O(2n),
which matches the lower bound curve,
but requires chosen plaintexts
 At
Eurocrypt 2000, Biryukov and Wagner
described an advanced slide attack
against Even-Mansour, which uses known
plaintexts, but matches the lower bound
curve only at one point: D=2n/2 and T=2n/2
Daemen’s Chosen Plaintext Attack:
 Consider
 Since
the differential properties of F.
it is a random permutation, we
expect each combination of a particular
input difference and a particular output
difference of F to be generated from a
single pair of input values and a single pair
of output values.
Daemen’s Chosen Plaintext Attack:
 Notice
that the XOR’ing of keys to the
inputs and outputs in the Even-Mansour
scheme does not change the input/output
differences of F!
 The
main problem is that going back from
differences to values is a difficult task
Daemen’s Simple Solution:
 Prepare
D pairs of chosen plaintexts with a
fixed non-zero input difference d, ask to
see their encryptions through E, and
compute their output differences
 Prepare
another set of T pairs of chosen
values with the same input difference d,
and compute by yourself through F their
output values (and thus their output
differences)
Daemen’s Simple Solution:
the birthday paradox, when DT > 2n we expect
to find some common output difference in the two
sets of difference values
 Since the actual input/output values in T are known,
we can find the (Y,Z) values in an actual encryption
in D. By combining these (Y,Z) values with (X,W)
values, we can easily recover both K1 and K2
 By
T
D
Ten Years Later, Biryukov and Wagner
Finally Developed a Known Plaintext Attack:


Their attack is an advanced version of a
slide attack
Slide attacks are usually applied to
iterated cryptosystems with a lot of self
similarity under shifts
 This
is surprising, since the Even-Mansour
scheme is not an iterated cryptosystem and
does not seem to have any self similarity
Standard slide attacks try to identify and use
shifted versions of the encryption process:
P1
P2
C1
C2
A Slide with a Twist attack uses shifted versions
of an encryption and a decryption process:
P1
C2
C1
P2
In this advanced form, Even-Mansour has
a very minimal form of self similarity:
K2
F
X1
Y1
Z1
W1
K1
F
K2
K1
W2
Z2
Y2
X2
The Biryukov and Wagner Known Plaintext
Attack on Even-Mansour:
 Given
at least D=2n/2 known
plaintext/ciphertext pairs, we expect
to find such a slid pair among them, in
which X in one encryption happens to
be equal to Y in another encryption
 Slid
pairs can be efficiently
recognized, and once they are found
they can be used to recover the key
by solving the resultant equation
Can you exploit a smaller number of
known plaintext/ciphertext pairs?
 Since
data is much harder to get than
time, D=T=2n/2 is not the ideal point on
the tradeoff curve DT = 2n
 Slide
attacks (like many other
cryptanalytic techniques, including
differential attacks) can not
effectively exploit a small number of
known plaintexts, since they have to
wait for some lucky event to happen by
chance, and only then start the attack
Our New SLIDEX Cryptanalytic Technique:
A Slide Plus a Twist Plus a Difference
K2
F
X1
Y1
Z1
W1
K1
F
K2
c
c
K1
W2
Z2
Y2
X2
Our New SLIDEX Cryptanalytic Technique:
A Slide Plus a Twist Plus a Difference
K2
F
X1
Y1=X2+c
Z1
W1
K1
F
K2
c
c
K1
W2
Z2
Y2=X1+c
X2
Our New SLIDEX Cryptanalytic Technique:
A Slide Plus a Twist Plus a Difference
K2
F
X1
Y1=X2+c
Z1=F(X2+c)
W1
K1
F
K2
c
c
K1
W2
Z2=F(X1+c)
Y2=X1+c
X2
Our New SLIDEX Cryptanalytic Technique:
A Slide Plus a Twist Plus a Difference
K2=W2+F(X1+c)
K2
F
X1
Y1=X2+c
Z1=F(X2+c)
W1
K1
F
K2
c
c
K1
W2
Z2=F(X1+c)
Y2=X1+c
X2
K2=W1+F(X2+c)
Applying the New SLIDEX Attack:
 Given
any number D of known pairs (Xi, Wi),
search for a triplet c, X1, X2 satisfying:
W1+F(X1+c)=W2+F(X2+c)
 The
number of random values c you have to
try is expected to be about 2n/D2, since for
these many D’s the total number of possible
triplets is 2n, and each triplet satisfies the
equation with probability of 2-n
Our New Attack (Continued):
 For
each c we prepare a list of values of
W+F(X+c) for all the D known plaintexts
 Look
for a repetition in each list separately,
from which it is easy to recover the two keys

The total running time is thus
T=(2n/D2)xD=2n/D, so D and T satisfy DT=2n
Let Us Reconsider Now the Basic Question:
Is Even-Mansour Minimal?
 Consider
an even simpler variant of the EvenMansour block cipher, in which K1=K2. Such
simplifications had been suggested before, but
do they provide exactly the same security?
X
+
K
Y
F
Z
+
K
W
The Importance of Having Tight Bounds
Security bounds for
cryptosystem A:
Security bounds for
cryptosystem B:
Lower
bound
Lower
bound
Upper
bound
Upper
bound
The Importance of Having Tight Bounds
Security bounds for
cryptosystem A:
Security bounds for
cryptosystem B:
Real
security
Lower
bound
Upper
bound
Real
security
Lower
bound
Upper
bound
The Equivalence of the Single-Key and
Double-Key Even-Mansour Schemes
 By
carefully examining the lower bound
proof, we can show that the same lower
bound DT > Ω(2n) is also applicable here:
X
+
K
Y
F
Z
+
K
W
Let Us Reconsider Now the Basic
Question: Is Even-Mansour Minimal?
 Clearly,
any attack on the two-key variant of EM
also breaks its single key variant
 Consequently,
Even-Mansour is not minimal, and
can be further simplified by using a single key
without losing any security!
 The
resulting block cipher is extremely simple:
To encrypt a plaintext, XOR a key, apply a fixed
known permutation, and XOR the same key again
Concluding Remarks:
 The
SLIDEX attack is a new known plaintext attack
which overcomes the main limitation of slide
attacks: We no longer have to wait beyond the
birthday bound for the lucky event to happen by
chance – we force it to happen by guessing c
 This
attack solves the 20-year old open problem of
the exact security of the EM scheme, and makes it
possible to further simplify the scheme by using a
single key variant without any loss of security